Reputation: 53
How to launch a new docker container from inside a docker container on openshift
Usecase:
I want to write a server application that launches a docker container per customer with only the specific customer data inside (for data protection). The service should run on openshift or openshift origin.
Where I have searched:
openshift origin latest documentation
openshift origin m4 documentation
What I already know:
I can launch a docker container from inside a docker container if the first container is a privileged container or the docker socket and binary from the host is linked into it.
[Edit 31.10.15] Like: docker run -v /var/run/docker.sock:/var/run/docker.sock ...
What I don't know:
Is it possible to launch a privileged docker container on openshift or use the openshift api from inside the docker container to launch an other docker container (with specific runtime configuration)? BTW: the "mother" container should be scalable.
Upvotes: 5
Views: 4458
Answers (2)
Reputation: 3316
It is possible - OpenShift does the same thing to run the build container that performs Docker and source builds. On the container security context (in your pod definition) set priviliged to true and define your volume mount of /var/run/docker.sock.
Note that you'll need to have the authority to launch priviliged containers (regular users aren't allowed to set priv or host mount), which can be done by adding your project to the "priviliged" security context constraint (https://docs.openshift.org/latest/admin_guide/manage_scc.html). In 1.0.7 there is a policy command that makes it easier oc policy add-scc-to-service-account
Upvotes: 0
Reputation: 1323573
After reading "~jpetazzo/Using Docker-in-Docker for your CI or testing environment? Think twice.", I would consider usings sibbling containers instead of nested containers.
The following extract talsk about CI but could be applied to an openshift launching containers per client (instead of a CI launching containers)
Do you really want Docker-in-Docker? Or do you just want to be able to run Docker (specifically: build, run, sometimes push containers and images) from your CI system, while this CI system itself is in a container?
The simplest way is to just expose the Docker socket to your CI container, by bind-mounting it with the
-vflag.Simply put, when you start your CI container (Jenkins or other), instead of hacking something together with Docker-in-Docker, start it with:
docker run -v /var/run/docker.sock:/var/run/docker.sock ...
Now this container will have access to the Docker socket, and will therefore be able to start containers. Except that instead of starting "child" containers, it will start "sibling" containers.
Upvotes: 3
Related Questions
- How to provide parameter to docker run with "oc new-app" in OpenShift?
- Openshift new-app not working for dockerfile
- Start new containers from inside docker
- Openshift new-app from local Docker image
- How to deploy from docker hub to openshift?
- How to access container within an openshift pod
- Allow Docker strategy in Openshift 3
- Running a docker image in Openshift Origin
- Adding docker container to running OpenShift pod
- How to properly launch an OpenShift v3 app